From owner-freebsd-security Sun May 5 16:28:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from urdvg002.mx.net (urdvg002.mx.net [165.212.11.2]) by hub.freebsd.org (Postfix) with SMTP id 0784137B401 for ; Sun, 5 May 2002 16:28:25 -0700 (PDT) Received: (qmail 21000 invoked from network); 5 May 2002 23:28:04 -0000 Received: from imapcorp.postoffice.net (HELO uadvg201.cms.usa.net) (165.212.11.132) by corprelay.cms.usa.net with SMTP; 5 May 2002 23:28:04 -0000 Received: USA.NET MXFirewall, messaging filters applied; Sun, 05 May 2002 23:26:21 GMT Received: from uwdvg007.cms.usa.net [165.212.8.7] by uadvg132.cms.usa.net via mtad (CM.1201.1.04A) with ESMTP id 701geeXAR0289M32; Sun, 05 May 2002 23:26:17 GMT Message-ID: <20020505232818.29316.qmail@uwdvg007.cms.usa.net> Received: from 192.115.8.147 [192.115.8.147] by uwdvg007.cms.usa.net (USANET web-mailer CM.0402.1.01C); Sun, 05 May 2002 23:28:18 -0000 Date: Mon, 06 May 2002 00:28:18 +0100 From: ReDeeMeR To: Subject: Re: [Re: Buffer overflow in /usr/games/strfile] X-Mailer: USANET web-mailer (CM.0402.1.01C) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have now constructed a patch for this program and have sent it to FreeB= SD as part of a Problem Report. Thanks for your pointers, and for the two URLs ... next time I'll learn t= o RTFM a little more closely. Thanks again, ReDeeMeR = = Colin Percival wrote: > Given that this is not a security issue -- as you point out, "no ext= ra = > privileges can be gained" -- this is rather off-topic for -security; = > nevertheless, it is less so than discussions of mailing list sender = > restrictions, so I'll go ahead and respond. > If you look at = > http://www.freebsd.org/cgi/cvsweb.cgi/src/games/fortune/strfile/strfile= =2Ec = > you'll see the CVS log for the file in question. At present it shows t= hat = > the latest change was made six weeks ago; your change has not been = > incorporated. > This isn't really surprising, since FreeBSD is run by volunteers, an= d = > unless they are either provided with a patch or convinced that an issue= is = > vitally important, nothing is likely to happen. You've described a = > problem, worked out how to fix it, described how to fix it... but you = > haven't completed the final two steps: Generating a patch, and submitti= ng = > it as part of a Problem Report. > So, here's what you should do: > 1. Generate a patch for src/games/fortune/strfile/strfile.c. This mean= s = > running `diff -c` on the original file and your fixed version. > 2. Use send-pr to generate a problem report. Make sure the synopsis fi= eld = > starts with [PATCH], and run send-pr with the -a option to include your= = > patch file. > 3. Wait until a committer notices your pr and incorporates your patch. > = > I'd also suggest that you read = > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/problem-reports/artic= le.html > and = > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributing/contrib-= how.html > = > Colin Percival > = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message